Abstract State Machines - Computing and Informatics

Computing and Informatics, Vol. 22, 2003, 209–219

THE EXPRESSIVE POWER OF ABSTRACT-STATE MACHINES Wolfgang Reisig Institut f¨ ur Informatik Humboldt Universit¨at zu Berlin Unter den Linden 6 10099 Berlin, Deutschland e-mail: [email protected]

Abstract. Conventional computation models assume symbolic representations of states and actions. Gurevich’s “Abstract-State Machine” model takes a more liberal position: Any mathematical structure may serve as a state. This results in “a computational model that is more powerful and more universal than standard computation models” [5]. We characterize the Abstract-State Machine model as a special class of transition systems that widely extends the class of “computable” transition systems. This characterization is based on a fundamental Theorem of Y. Gurevich. Keywords: Specification technique, expressive power, computation models, sequential algorithms, transition systems, Abstract State Machines

1 DETERMINISTIC TRANSITION SYSTEMS In the first volume of his seminal opus [8], Don Knuth introduces the notation of algorithms. As a framework for the semantics of algorithms, Knuth suggests computational methods: A computational method is what nowadays would be called an initialized, deterministic transition system, i.e. a triple C = (Q, I, F ) where Q is a set (its elements are denoted as states), I ⊆ Q (the initial states), and F : Q → Q (the next-state function). Furthermore, Knuth assumes a set Ω of

210

W. Reisig

terminal states, and requires F (q) = q for all q ∈ Ω : A terminal state is represented as a fixpoint of F . (Knuth denotes I, Ω and F as input states, output states and computation rule, respectively). As one would expect, a computation sequence of C is a sequence σ = x0 x 1 . . . of states xi ∈ Q, with x0 ∈ I and xi+1 = F (xi ) for i = 0, 1, . . . . The sequence σ is said to terminate if xk ∈ Ω for some index k. Knuth denotes C as an algorithm if each computation sequence of C terminates. This definition comes without the requirement of F being “effective”. Quoting [8, p. 8]: “F might involve operations that mortal man can not always perform”. Knuth defines effective computational methods as a special case: A computational method is effective iff it is essentially equivalent to a Turing Machine or to any other mechanism for the computable functions. Nowadays, the term “algorithm” is usually used to denote what Knuth calls an “effective computational method”. As we did above already, we will use the term “transition system” instead of “computational method”, and “effective transition system” instead of “effective computational method”. Transition systems have been generalized in several directions: Non-terminating computation sequences adequately describe behaviors of reactive systems; the nextstate function F has been generalized to a relation R ⊆ Q × Q, with computation sequences x0 x1 . . . where (xi , xi+1 ) ∈ R. This represents nondeterminism. Additionally one may require the choice of xi+1 to follow a stochastic distribution, or to be fair. Some system models describe a single behavior not as a sequence of states, but as a sequence of actions. The sequence orders the actions along a time axis. One may even replace the total order by a partial order, representing the cause-effect relation among actions. All these generalizations of effective transition systems can be reduced to equivalent conventional effective transition systems, by reasonable notions of reduction and equivalence. Generalizations of this kind are intended to express algorithmic ideas more conveniently. They are not intended to challenge the established notion of effective computation. We study non-effective transition systems in this paper. The reader may wonder whether there is anything interesting “beyond” the computable functions. In fact, there is an exciting proper subclass of all transition systems, called “Sequential Abstract-State Machines” (ASM), that in turn properly contains the effective transition systems. A Sequential ASM has a next-state function that can be represented symbolically; but its states can in general not be represented symbolically. This paper is intended to provide quick insight into the basic principles of ASM. It should help understand why ASM in fact are more universal than standard computation models. Furthermore, the paper provides intuitive reasons for the success of ASM as a specification language, applied in many quite different areas. These applications are only glanced, as well as the various extensions of ASM and the po-

The Expressive Power of Abstract-State Machines

211

werful tools. The paper is not intended to present new results, so the ASM expert will not find any new result in this paper. The rest of this paper is organized as follows: Section 2 presents a very simple example to explain the basic idea of ASM. A formal definition of a very simple kind of Sequential ASM is given in Section 3. Finally, Section 4 presents Gurevich’s Theorem about this class of ASM. It characterizes the amazing expressive power of Sequential ASM. 2 A SIMPLE EXAMPLE OF AN ABSTRACT-STATE MACHINE We begin with a somewhat overly simple example. This example is intended to show that the notion of algorithm is very reasonably defined also in the context of states that cannot symbolically be represented. Let augment be a function with two arguments: The first argument is to be any set, and the second argument is to be any item. For a set M and any item m, define augment(M, m) =def M ∪ {m}.

(1)

We intend to construct an algorithm that augments two elements to a set, using the function augment. More precisely, we want to construct a transition system C0 = (Q0 , I0 , F0 ), such that each set M together with two elements m and n constitutes an initial state xM,m,n . A computation sequence starting with xM,m,n then should terminate with a state that represents the set M ∪ {m, n}. As usual in the description of algorithms and programs, we employ variables. We choose the variable X to vary over sets. In an initial state xM,m,n of C0 the value of X is M . The steps of C0 can be described in the setting of an algorithm P0 : P0 : begin X := augment(X, m); X := augment(X, n) end.

(2)

According to (2), an initial state S0 of C0 is followed by a state S1 , which assigns the set M ∪ {m} to X. State S1 is then followed by a state S2 that assigns the set M ∪ {m, n} to X. S2 is a terminal state of C0 . The description (2) mixes the symbols “X”, “begin”, “end ”, “;” and “:=” with the concrete items m and n, and the function augment. We would prefer an entirely symbolic representation. This is achieved by two additional variables, x and y, and a binary operation symbol, g. In an initial state xM,m,n of C0 the value of X, x and y is now assumed to be M , m and n, respectively, and the value of the operation g is assumed to be the function augment. Then the steps of C0 can be represented as P1 : begin X := g(X, x); X := g(X, y) end.

(3)

212

W. Reisig

The description (3) is an entirely symbolic representation indeed, i.e. a program text. All states of P1 assign m, n and augment to x, y and g, respectively. The representation of states still includes items such as M , m, n, M ∪ {m, n} and augment. We might wish a symbolic representation of states, too. This would require a symbolic representation of sets. A symbolic representation is a sequence of symbols over a finite alphabet, Σ. There are only countable many representations over Σ. There exist many more sets, however. So it is impossible to represent all sets symbolically. Consequently, it is impossible to define the assignment of values to variables symbolically. Hence it is impossible to represent the states of the transition system C0 symbolically. This is the essence of the above example: The next-state function F0 of C0 can be represented symbolically, as in (3), whereas the states of C0 can not. 3 SEQUENTIAL ABSTRACT-STATE MACHINES The example of Section 2 doesn’t fit into the framework of conventional computation models. It is an example for a more general model. To highlight the differences, let C = (Q, I, F ) be an initialized, deterministic transition system, as described in Section 1. First, assume C is an effective transition system. Each state S ∈ Q can be assumed to be represented as a finite sequence of symbols. The successor state F (S) is a sequence of symbols, in general different from S. Summing up, arguments as well as results of the next-state function F are finite sequences of symbols, and there exists a finite symbolic representation for F . Now assume C is a transition system in the framework of the more general model. A state S of C is not symbolically represented, but a semantical object. It consists of a set U (in general infinite), a finite number of distinguished elements u1 , . . . , uk in U , and a finite number g1 , . . . , gl of functions over U , each with its arity ki (i.e. gi : U ki → U ). We employ variables x1 , . . . , xk and symbols f1 , . . . , fl . In a state S, the variable xi denotes the element ui . Hence we write xiS for ui (i = 1, . . . , k). The symbol fj denotes the function gj , written fjS (j = 1, . . . , l). All states of a transition system employ the same variables and function symbols, and these variables and function symbols are used to symbolically represent the next-state function F of C. In technical terms, the variables and function symbols constitute a signature, Σ. Each state of C is a Σ-Algebra (i.e. an element of AlgΣ ). Variables, as we used them, are usually denoted as “constant symbols” or “0-ary function symbols” in the framework of Σ-algebras. We refer to the appendix for details of signatures and algebras. We formulate the next-state function in a programming like notation. The elementary dynamic construct is the assignment statement, formed x := t,

(4)

The Expressive Power of Abstract-State Machines

213

where x is usually called a variable, and t a Σ-ground term. Remember that x is indeed a 0-ary constant symbol of Σ. Applied to a state S, the assignment (4) yields a successor state F (S), where x is assigned the value tS (i.e. xF (S) = tS ). Assignments are not only defined for 0-ary symbols, but for all ground terms t ∈ TΣ . A ground term t ∈ TΣ is in general shaped t = f (t1 , . . . , tn ), where f is an n-ary function symbol, and t1 , . . . , tn ∈ TΣ . In case of n = 0, t is a constant symbol, as discussed above. Applied to a state S, an assignment f (t1 , . . . , tn ) := t0

(5)

updates the function fS at the argument tuple (t1S , . . . , tnS ). Hence, for the successor state F (S) of S holds fF (S) (t1S , . . . , tnS ) = t0S . This kind of update may come as a surprise. It corresponds to an update of an n-dimensional array f in conventional programming. We will allow a set of assignments being performed coincidentally, provided they are consistent, viz no two different assignments update the same location fS (t1S , . . . , tkS ). Here is the formal definition: Definition 1. Let Σ be a signature. 1. Let t, t0 ∈ TΣ with t shaped t = f (t1 , . . . , tk ). Then f (t1 , . . . , tk ) := t0 is a Σ-assignment. 2. Let S ∈ AlgΣ . Two Σ-assignments f (t1 , . . . , tk ) := t0 and f (t01 , . . . , t0k ) := t00 are consistent at S iff (t1S , . . . , tkS ) = (t01S , . . . , t0kS ) implies t0S = t00S . 3. A set of Σ-assignments is consistent at S iff its elements are pairwise consistent at S. In the sequel we do with signatures that include the symbols true, false, undefined, and the usual propositional logic combinators such as “∧” and “¬”. Such signatures will be denoted as ASM signatures. We are now prepared to introduce the program notation for next-state functions: Definition 2. Let Σ be an ASM-signature. 1. The set guardΣ of guards over Σ is the smallest set of terms such that for all t, t0 ∈ TΣ , t = t0 ∈ guardΣ , and β, β 0 ∈ guardΣ implies ¬β ∈ guardΣ and β ∧β 0 ∈ guardΣ . 2. Let r be a Σ-assignment and let β ∈ guardΣ . Then if β then r is a guarded Σ-assignment. 3. Let q1 , . . . , qm be guarded Σ-assignments. Then par q1 , . . . , qn endpar is a sequential, bounded ASM-program over Σ.

214

W. Reisig

Notation. We frequently write r for the guarded assignment if t = t then r, with any term t ∈ TΣ . The semantics of an ASM program is based on the semantics of Σ-assignments: An assignment f (t1 , . . . , tn ) := t0 updates in a state S the function fS at the argument tuple (t1S , . . . , tnS ) with the value t0S . This generalizes to consistent sets Z in the obvious way. Definition 3. Let Σ be a signature, let S be a Σ-algebra with universe U , and let Z be a set of Σ-assignments, consistent at S. 1. For a k-ary symbol f ∈ Σ, let f Z,S :

Uk → U (t1S , . . . , tkS ) 7→ t0S iff f (t1 , . . . , tk ) := t0 ∈ Z u 7→ fS (u), otherwise

2. Let R =def semZ (S) be the Σ-algebra with universe U , defined for each symbol f ∈ Σ by fR = f Z,S . The semantics of an ASM program M is now reduced to the semantics of assignments: To apply M to a state S, first evaluate the guards of M at S, and then execute all assignments with true guards: Definition 4. Let Σ be an ASM-signature. 1. Let β ∈ guardΣ and let S ∈ AlgΣ . Then βS = true iff β = (t = t0 ) and tS = t0S , or if β = ¬β 0 and not βS0 = true, or if β = β 0 ∧ β 00 and βS0 = βS00 = true. 2. Let M: par if β1 then r1 .. . if βm then rm endpar

be an ASM-program over Σ. Then the semantic function semM : AlgΣ → AlgΣ is defined as follows: For S ∈ AlgΣ let Z := {ri | βiS = true, 1 ≤ i ≤ m}. Then  semZ (S), if Z is consistent on S , semM (S) := S, otherwise . An ASM program M over a signature Σ can serve as the next-state function of a transition system that employs Σ-algebras as states:

215

The Expressive Power of Abstract-State Machines

Definition 5. Let Σ be an ASM signature, let M be an ASM program over Σ and let A = (Q, I, F ) be a transition system with Q ⊆ AlgΣ and F = semM . Then A is an ASM transition system. Program P1 in (3) of Section 2 is no ASM program at first glance: An ASM program cannot express sequential composition. This deficit is easily overcome by a well-known “trick”: Extend the initial state by a fresh variable, l, and valuate l by 0 in the initial state, S0 . Reformulate (3) by P2 : par

if if if if

l=0 l=0 l=1 l=1

then then then then

X := g(X, x); l := 1; X := g(X, y); l := 2

endpar. Many versions of ASM deviate from the strict syntax of Definition 4, very well allowing notations such as (3). 4 THE EXPRESSIVE POWER OF SEQUENTIAL ASM TRANSITION SYSTEMS In the sequel we discuss the expressive power of ASM transition systems. They turn out to be amazingly expressive: Intuitively formulated, every transition system with a symbolically representable next-state function can be represented as an ASM transition system. As a technicality, all constructs go up to isomorphism. First we describe the next-state function F for each state S by the “difference” between S and its follower state, F (S). This difference is a set of updates (f, u, v), where f is a function symbol, u is an n-tuple of elements with n the arity of f , and v is a single element. Applied to a state S, an update (f, u, v) denotes fF (S) (u) = v, i.e. the function symbol f , interpreted in state F (S), and applied to the argument u, is equal to v. Here is a formal definition: Definition 6. Let Σ be a signature, let f be a function symbol in Σ with arity n, let U be a universe, let u ∈ U n and v ∈ U . Then (f, u, v) is a Σ-update over U . For example, the update (X, (), M ∪ {m}) describes the step from S0 to S1 in Section 2. The next-state function F usually updates more than one function at more than one position: The step from a state S to its successor state F (S) covers usually a set of updates: Definition 7. Let A = (Q, I, F ) be an initialized, deterministic transition system with Q ⊆ AlgΣ for a signature Σ. Let S ∈ Q. 1. A Σ-update (f, u, v) is an F -update of S iff fS (u) 6= fF (S) (u) = v. 2. Let ∆(F, S) denote the set of all F -updates of S.

216

W. Reisig

For all S, the sets ∆(F, S) together constitute F . Hence, F may be characterized by help of the sets ∆(F, S), i.e. by a symbolic representation of ∆(F, S). Such a symbolic representation must meet the following properties: If two states R and S evolve different update sets, i.e. ∆(F, S) 6= ∆(F, R), then at least one term t ∈ TΣ witnesses the difference: tR 6= tS . Furthermore, as a symbolic representation is always finite, i.e. finitely many witnesses must suffice for all states. F is called a bounded exploration in this case. Here is a formal definition: Definition 8. Let A = (Q, I, F ) be an initialized, deterministic transition system with Q ⊆ AlgΣ for a signature Σ. Let T ⊆ TΣ such that for all states R, S ∈ Q: If for all t ∈ T the equation tR = tS holds, then ∆(F, R) = ∆(F, S). In this case, T is called characteristic for F . F is a bounded exploration if there exists a finite characteristic set T of terms for F . The bounded exploration property is the decisive property for F to be representable by an ASM program. The additional requirement is a technicality: States and initial states are closed under isomorphism, and the next-state function F is invariant under isomorphism. These requirements are due to the well known observation that term representations cannot distinguish isomorphic structures: Definition 9. Σ be a signature, let A = (Q, I, F ) be an initialized, deterministic transition system with Q ⊆ AlgΣ such that for all R, S ∈ Q and each isomorphism h : R → S holds: 1. R ∈ Q iff S ∈ Q and R ∈ I iff S ∈ I. 2. h : F (R) → F (S) is an isomorphism, too. Then A is isomorphic closed. The following Theorem describes the expressive power of ASM transition systems: Theorem 1. Let Σ be an ASM signature, let Q ⊆ AlgΣ , let A = (Q, I, F ) be an initialized, deterministic, isomorphism closed transition system and let F be a bounded exploration. Then there exists an ASM program M with F = semM . This fundamental Theorem has been proven in [7]. The proof has been reformulated in [9]. 5 FURTHER ASPECTS OF ASM The term “Abstract-State Machine” refers to the fundamental idea that a state is a mathematical structure. We discussed the most elementary version of ASM in a particular syntactic representation. In general, the syntax of ASM is not entirely fixed; many other versions are likewise reasonable.

The Expressive Power of Abstract-State Machines

217

There are substantial extensions to the elementary versions of ASM as discussed in this paper: The deterministic next-state function F may be replaced by a nondeterministic next-state relation. Reactive behavior of an ASM program may be modelled by steps xi xi+1 which are not conducted by the program, but by the outside world. Bounded exploration may be generalized, using ∀-quantified formulas in ASM programs. A distributed version of ASM has likewise been advocated, where a simple run consists of a partial order of actions. Turbo ASM allow to squeeze a sequence of assignments into one super-assignment. The Lipari Guide [6] gives details on various versions of ASM and their expressive power. Σ-algebras are the most neutral kind of mathematical structure. Σ-algebras therefore provide the most flexible means to model states of systems. This is why the ASM approach has “. . . the ability to simulate arbitrary algorithms on their natural level of abstraction, without implementing them” [2]. In fact, the liberal requirement for states and steps adapt easily and perfectly to any kind of algorithm, and in particular to high-level system design. It comes without surprise that ASM have been particularly successful in describing the semantics of programming languages: Semantics deals with a rich variety of mathematical structures that don’t require a syntactical representation. This, exactly, is what ASM provides. The ASM formalism has successfully been applied to virtually all areas of software. The recent textbook [4] of B¨orger and St¨ark introduces and surveys the most important aspects of ASM theory, application, and tools. A lot of applications can also be found in [2] and the excellent ASM website [1]. Acknowledgements I thank Dines Bjørner for his encouragement to write this paper. Two anonymous referees suggested very valuable improvements of the text. REFERENCES [1] The ASM web-page: http://eecs.umich.edu/gasm. ¨ rger, E.: High Level System Design and Analysis Using Abstract State Machines. [2] Bo In D. Hutter et al., editor, Current Trends in Applied Formal Methods, Vol. 1464 of LNCS, pp. 1–43, 1999. ¨ rger, E.: The Origin of the ASM Method for High Level System Design and [3] Bo Analysis. Journal of Universal Computer Science, Vol. 8, 2002, No. 1, pp. 2–74. ¨ rger, E.: St¨ark, R.: Abstract State Machines – A Method for High-Level System [4] Bo Design and Analysis. Springer Verlag, 2003. [5] Gurevich, Y.: A New Thesis. American Mathematical Society Abstracts. p. 317, August 1985. [6] Gurevich, Y.: Evolving Algebra 1993: Lipari Guide. In E. B¨orger, editor, Specification and Validtion Methods, pp. 9–36, Oxford University Press, 1995.

218

W. Reisig

[7] Gurevich, Y.: Sequential Abstract-State Machines Capture Sequential Algorithms. ACM Transactions on Computational Logic, Vol. 1, 2000, No. 1, pp. 77–111. [8] Knuth, D. E.: The Art of Computer Programming. Vol. 1: Fundamental Algorithms. Addison-Wesley, 1973. [9] Reisig, W.: On Gurewich’s Theorem on Sequential Algorithms. Acta Informatica, Vol. 39, 2003, pp. 273–305.

APPENDIX: ELEMENTARY NOTIONS OF GENERAL ALGEBRA We employ General Algebra in its most simple form, sticking to homogeneous algebras with total functions. We introduce corresponding signatures and state some elementary relations between signatures and algebras. An algebra consists of a set and a choice of functions: Definition A-1. Let U be a set. 1. Let ϕ : U . . × U} → U be a function. Then n is its arity. | × .{z n−f old

2. The case of arity n = 0 yields a constant, i.e. an element ϕ() ∈ U , written ϕ. 3. Let n1 , . . . , nk ∈ N. For i = 1, . . . , k let ϕi be a function over U with arity ni . Then S = (U, ϕ1 , . . . , ϕk ) is an algebra. U is its carrier; (n1 , . . . , nk ) is its type. A signature provides names for the functions of algebras: Definition A-2. Let f1 , . . . , fk be symbols and let n1 , . . . , nk ∈ N. 1. Σ = (f1 , . . . , fk , n1 , . . . , nk ) is a signature. For 1 ≤ i ≤ nk , the number ni is the arity of fi . 2. fi is a constant symbol if ni = 0. fi is a function symbol otherwise. Ground terms compose symbols according to their arity: Definition A-3. Let Σ be a signature. The set TΣ of Σ-ground terms is inductively defined as follows: 1. Each constant symbol is a ground term. 2. If f is a function symbol with arity n, and if t1 , . . . , tn are ground terms, then f (t1 , . . . , tn ) is a ground term, too. Each signature characterizes a set of algebras: Definition A-4. Let Σ = (f1 , . . . , fk , n1 , . . . , nk ) be a signature. Each algebra S = (U, g1 , . . . , gk ) with arity (n1 , . . . , nk ) is called a Σ-algebra. S is often called an interpretation of Σ; gi is frequently written fiS and denoted as the interpretation of fi in S. Notation. For a signature Σ, let AlgΣ denote the set of all Σ-algebras.

The Expressive Power of Abstract-State Machines

Reisig

219

Wolfgang studied physics and computer science at Karlsruhe and Bonn, graduating n 1974. In 1974–1976 and 1976–1983, he was assistant professor at the University of Bonn and RWTH Aachen, respectively. In 1979, he received the PhD degree from RWTH Aachen. In 1983–1984 he was visiting professor at University of Hamburg; from 1993 to date he is full professor at Humboldt-Univerit¨at zu Berlin, where he acted as the managerial director at the Department of Computer Science (1994–1996) and Dean of the Mathematical and Natural Science Faculty (1996–1998). In summer 1997, he acted as a senior researcher at the International Computer Science Institute (ICSI) at Berkeley, California; in the winter term 2000/2001 he took “Lady Davis Visiting Professorship” at the Technion, Haifa (Israel). Since 2002, he is the managerial director at the Department of Computer Science.